CISA for IT Audit Entry?

I would like to hear from those who are CISA certified and others who work in IT Audit. What is needed to gain an entry IT Audit position? I have Bachelor and Master degrees in Accounting and have had 3 audit related classes but lack audit work experience. I have taken several IT classes in the Information Assurance/Security area and have passed CompTIA Network+ (830/900) and Security+ (861/900) exams. I lack experience in IT and am wondering if taking and passing the CISA should be my next step to try and gain an IT Audit position? I never see any entry-level IT Auditor positions advertised and would like to hear the best way to get into IT Audit without the experience.

Find more posts tagged with

Comments

idr0p

CISA is a hot certification for IT Auditing.. if you get that you can most likely try to get into a auditor position in one of the big 4 financial firms. esp. with your accounting background you might be perfect for the entry level position.

burfect

How does one actually BREAK into IT auditing? I see all these positions that are "entry level" that require these certs, but how can you get the certs without the exp? Seems like a catch 22.

JDMurray

The organization that maintains the CISA certification, ISACA, probably has some good information on their Web site about that. If you are really interested in IT auditing, you should find the ISACA chapter in your local area and attend a chapter meeting.

burfect

JDMurray wrote: »

The organization that maintains the CISA certification, ISACA, probably has some good information on their Web site about that. If you are really interested in IT auditing, you should find the ISACA chapter in your local area and attend a chapter meeting.

I have done some research on this very topic and it appears a lot of people who have Cisa or go the IT auditing route don't really have much IT knowledge at all. It seems based on my readings (obviously you know better than me) that a lot of IT auditors get their roots from general accounting/auditing and migrate to IT auditing for one reason or another.

I do notice that a lot of people that have the CISSP (and hardly ever any CompTIA MS or pure IT certs) also have the CISA and sometimes a CISM as well, how they go about gaining experience in two different fields (security vs auditing) I do not know.

If anyone on here who holds the CISA/CISM that does NOT come from a pure accounting background could share how they got their start in the field, and how they gained experience towards the CISA requirements I would love to hear it.

I am a recent graduate who is unsure of wich path to take, but having a background in MIS with experience in basic accounting courses, as well as general IT, this is one that interests me. Thanks.

JDMurray

Yes, a lot of auditors have financial backgrounds and are even CPAs. However, there are information systems that have nothing to do with finances. In such cases, auditors who know the specifics of information storage, such as database administrators, find work as auditors. I know several programmers that transition from software development to auditing because they knew the systems to be auditing and found the tedious, regimented, task-based aspects of auditing very appealing.

mang109

I work as an IT Auditor, and am almost CISA certified ( I have the exam passed, just filling forms)

The way I got into IT Audit was through one of the Big 4 (E&Y,PWC,KPMG, DTT - They are all the same really).

I had 0 IT experience, all I had was a good degree (Maths) and they took me on and trained me into IT Audit. Many of my peers at the time came from varying backgrounds, even one guy with a degree in Zoology, others with 5+ years work experience in other sectors.

I would strongly reccomend you look at Big 4 Graduate Schemes (Even if you havent recently graduated, they take anyone who is looking at starting fresh, and has a degree - and they will really like accounting as it supports their core business).

Other common routes I have seen is starting out in IT support/analyst, then moving across after a few years - however that will take time.

Good Luck! - PM me if you have any Big 4 questions.

andhow

I was recruited into the IT Audit role. My background was in IT operations; specifically in the areas of DR, Server Management, SAN, Data Center, and Enterprise Backup/Recovery. It seemed that whenever there was an audit in the IT department, I was involved as a major or minor stakeholder. I developed some credibility by working with the auditors and proactively implementing strong and consistent controls. When the Internal Audit Department decided to create a specific role around IT audit, they reached out to me to manage it. They felt that they could teach me the traditional audit skills and valued my insight and track record for establishing reasonable controls.

My advice... whatever you do, do it well. Foster collaboration and design with the big picture in mind and deliver. If you start in a traditional IT role, make sure your coworkers and management see you as a team player with vision. Reach out, respectively, to the Internal Audit department and let them know that you intend to continue succeeding in your current role, but if there is an opportunity in IT audit, you'd love the opportunity to succeed there as well.

Good luck with your endeavors!

GoodBishop

I believe this sums it up.

CISA.jpg

GoodBishop

burfect wrote: »

I have done some research on this very topic and it appears a lot of people who have Cisa or go the IT auditing route don't really have much IT knowledge at all. It seems based on my readings (obviously you know better than me) that a lot of IT auditors get their roots from general accounting/auditing and migrate to IT auditing for one reason or another.

I do notice that a lot of people that have the CISSP (and hardly ever any CompTIA MS or pure IT certs) also have the CISA and sometimes a CISM as well, how they go about gaining experience in two different fields (security vs auditing) I do not know.

If anyone on here who holds the CISA/CISM that does NOT come from a pure accounting background could share how they got their start in the field, and how they gained experience towards the CISA requirements I would love to hear it.

I am a recent graduate who is unsure of wich path to take, but having a background in MIS with experience in basic accounting courses, as well as general IT, this is one that interests me. Thanks.

I can answer this one. I did 7 years of IT doing help desk, system administration, and IT security project work, and I worked for a consulting company. I decided, on my own, to get the CISA, because it was the hot certification at the time as well as it would expand my skillset. I was fortunate to be able to be part of the team on a few IT audits for the consulting company, as well as responding to internal audit requests. Between that, my degree, and the security work I did prior to that, I was able to study for the test in a day and pass by one question (aka, what do they call the medical student who graduated with the lowest gpa? Doctor.).

After that though, I moved, and got a "pure" IT audit position for a couple of years. That really was good IT audit experience. I've taken that and moved on to management now. So it is helpful.

GoodBishop

burfect wrote: »

How does one actually BREAK into IT auditing? I see all these positions that are "entry level" that require these certs, but how can you get the certs without the exp? Seems like a catch 22.

Boromir says it all...

ITaudit.jpg

LarryDaMan

JDMurray wrote: »

...found the tedious, regimented, task-based aspects of auditing very appealing.

Ah yes, for some reason I don't miss the days of intensely debating things like the nuances of the term "master data". Nor do I miss the nerds fights which occurred when attempting to deconstruct the meaning/intent behind a vague FISCAM or NIST security control.

Your adjectives are spot on, and maybe I do miss it a little.

burfect

GoodBishop wrote: »

I can answer this one. I did 7 years of IT doing help desk, system administration, and IT security project work, and I worked for a consulting company. I decided, on my own, to get the CISA, because it was the hot certification at the time as well as it would expand my skillset. I was fortunate to be able to be part of the team on a few IT audits for the consulting company, as well as responding to internal audit requests. Between that, my degree, and the security work I did prior to that, I was able to study for the test in a day and pass by one question (aka, what do they call the medical student who graduated with the lowest gpa? Doctor.).

After that though, I moved, and got a "pure" IT audit position for a couple of years. That really was good IT audit experience. I've taken that and moved on to management now. So it is helpful.

To piggyback on this... is it possible, or should I say "common" to transition from IT Auditing into a more specific/technical "IT Security" /CISSP type of role. IE, if one were looking to get into security down the road, would auditing be a good foot in the door? I imagine many CIO's have spent time in IT auditing in one aspect or another?

burfect

burfect wrote: »

To piggyback on this... is it possible, or should I say "common" to transition from IT Auditing into a more specific/technical "IT Security" /CISSP type of role. IE, if one were looking to get into security down the road, would auditing be a good foot in the door? I imagine many CIO's have spent time in IT auditing in one aspect or another?

bumping this

tpatt100

I got into auditing from security, pretty much by accident. I needed a job and I got some auditing work and used my security background plus what I learned in school to wing it.

burfect

Interesting... I see many paths between auditing/security can be somewhat interchangeable. Curious, how did you land into your security/CiSSP type of roll and what made you jump to auditing other than a need for employment?

Thanks

paul78

burfect wrote: »

is it possible, or should I say "common" to transition from IT Auditing into a more specific/technical "IT Security" /CISSP type of role. IE, if one were looking to get into security down the road, would auditing be a good foot in the door? I imagine many CIO's have spent time in IT auditing in one aspect or another?

I actually do not know any CIO's that have an audit background. But that doesn't mean that they were not exposed to audit functions. More typically, a CIO is the target of an audit and reacted accordingly.

As to your question about whether it is possible to transition from an audit function to a more technical security function. I don't see that very often either. But I do see the opposote where a more technical security practitioner transitions to an audit function.

Usually, if I encounter a security practitioner who comes from an audit background, they tend to be in governance or compliance roles.

This of course, doesn't mean that it cannot be done. It's just my observation.